Anomaly detection using ODM

I was asked the following question:
"My question is very simply, we are doing a monitoring system for a
website that helps the admin to mine on specific data (using ODM to
produce Web mining) so we want to apply the anomaly detection. We dont
know what we should do and what we should produce as a results."
A couple of suggestions come to mind:
1) For an overall discussion of intrusion detection in general using the Oracle RDBMS as an analytical platform the following paper might be useful:
http://www.oracle.com/technology/products/bi/odm/pdf/odm_based_intrusion_detection_paper_1205.pdf
2) A couple of things to think about and do:
(a) Define what is the "mining case", that is, the "object that defines what is the concept you want to mine. For example, in web mine you may want to detect anomalous session activity. This can be defined over the whole activity of a session or over time windows. In the first case each session will define a mining case (it will be a row in the training data). In the second case each section will generate many mining cases, one per time window. Let's assume for sake of discussion that the goal is to identify anomalous session activity. Then the training data will consist of the session activities (e.g., clicks, pages visited, and/or information from forms; or more generally, http requests). There will be one row per session in the training data. If we know beforehand that some of those sessions where intrusion or anomalous in some sense we can also capture this data as a target for supervised modeling.
(b) Decide what modeling to do. Two types of modeling can be performed (see the paper above for examples):
(i) Supervised modeling - case there are examples of anomalous cases as well as normal cases
This can be done by building a classifier on the training data. It is also possible to measure the quality of the classifier on a held aside sample.
(ii) Unsupervised modeling - this should be done as well even if we can create a supervised model
Unsupervised approaches don't provide a measure that indicates how good the model is at predicting anomalous events. These models are better at ranking cases by how anomalous the model believe they are.
Two common unsupervised techniques for anomaly detection are: Clustering and One-Class SVM. The latter is considered a state-of-art in many problem domains and it is the one implemented by ODM. ODM also has clustering but it does not return distance of a row to the center of cluster. This information is necessary for using it clustering for anomaly detection. If one wants to use clustering, the Oracle Data Mining blog has a post that can help compute distance from rows to centroids:
http://oracledmt.blogspot.com/2006/07/finding-most-typical-record-in-group.html
It is important to note that the method described in the post doesn't support nested column attributes.
When building unsupervised models, only the data for normal cases should be used to training the models. The unsupervised models can be seen as defining what is normal. It will recognize that something is anomalous when it does not match the definition of normality learned by the model.
(c) Use ODMR to help with modeling
(d) As new session information is gathered it is possible to score in real-time the session to detect anomalous behavior. One should score both supervised (if information was available) and unsupervised models to detect anomalous behavior. See the above paper for some discussion on this.
The supervised model will indicate if a case is anomalous or not based on known types of anomalous behavior. One should use ROC tuning in ODMR to find a good operating point for the model. This is necessary because the number of anomalous cases is usually small compared to normal ones.
The unsupervised model (one-class SVM) will provide a ranking. The higher the probability of belonging to class 1 the more normal. A 0.5 probability for class 1 indicates the boundary between normal and not normal. In reality it marks a boundary where normality dominates. There can be some anomalous cases with probability higher than 0.5 and some normal cases with probabilities less than 0.5. If working in batch mode we can rank the probabilities in ascending order and select the first K rows for investigation.
--Marcos

A suggestion to speed up the process: provide more information about your data (e.g., schema) and how you are invoking the algorithm (GUI, API, settings). Case you are using the APIs, have you tried the sample programs for anomaly detection?
Regarding the Apriori algorithm it does not support timestamps and dates columns. In fact, none of the algorithms in ODM does (see the documentation for Oracle Data Mining for the supported column data types). the dbms_predictive_analytics package does. Are you trying to do sequential association rules or just trying to do plain association rules using data from a date column? ODM does not support the former. The latter can be done by converting the date column to a VARCHAR or NUMBER column.
--Marcos

Similar Messages

ODM Apriori and Anomaly Detection Questions

i have 2 questions the 1st concerning the Apriori algorithm does it
support timestamps and dates ??
if yes then how to use it :$ (is there any sample ?)
the other questiong regarding the Anomaly Detection when ever i try
building the model i get wiered errors and when i searched for the
last error i found online "Reported as a bug" its error ORA:00600 but
most of the times i get the error ORA-40109: inconsistent logical data
record

see Re: Some Questions regarding Apriori algorithm and anomaly detection for a reply

ODM ANOMALY DETECTION PROBLEM !!!!

i'm trying to create an anomaly detection model, but i encounter this error: ORA-40101: Data Mining System Error ORA-00600: internal error code, arguments:
[KGHALO2], [0x0], [], [], [], [], [], []
can any 1 help me with this please ?

see Re: Some Questions regarding Apriori algorithm and anomaly detection for request for more information.
--Marcos

MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

Hi together,
a customer has lost some Access Points to another WLC with 7.2 and then they come back after 15 minutes to the origin WLC with 7.5
Attached the messages
MFP Protection is configured as optional
152
Wed Nov 27 05:33:26 2013
MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
153
Wed Nov 27 05:31:40 2013
AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
154
Wed Nov 27 05:31:40 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
155
Wed Nov 27 05:31:33 2013
AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
156
Wed Nov 27 05:31:33 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
157
Wed Nov 27 05:31:33 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
158
Wed Nov 27 05:31:28 2013
AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
159
Wed Nov 27 05:31:28 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
160
Wed Nov 27 05:31:28 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
161
Wed Nov 27 05:31:17 2013
AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
162
Wed Nov 27 05:31:17 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
163
Wed Nov 27 05:31:17 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
164
Wed Nov 27 05:31:15 2013
AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
165
Wed Nov 27 05:31:15 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
166
Wed Nov 27 05:31:15 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
167
Wed Nov 27 05:28:26 2013
MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
168
Wed Nov 27 05:23:26 2013
MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
Don´t know at the moment how to handle it.
Regards
Alex

Hi lAlex,
Disable Client MFP under WLAN advanced tab & see if this still occur
Regards
Rasika
**** Pls rate all useful responses *****

Global Correlation and Anomaly detection drop messages?

We've implemented an SSP-40 and were wondering if there were event messages for Global Correlation or Anomaly detection drops. We seem to only have signature event messages.
Dennis

Sure. Here is an example:
evIdsAlert: eventId=1332748411090083862 severity=informational vendor=Cisco alarmTraits=32768
originator:
   hostId: sensorName
   appName: sensorApp
   appInstanceId: 19247
time: 2012/03/27 15:12:41 2012/03/27 15:12:41 UTC
signature: description=ICMP Echo Request id=2004 created=20001127 type=other version=S592
   subsigId: 0
interfaceGroup: vs0
vlan: 1104
participants:
   attacker:
     addr: locality=OUT A.B.C.3
   target:
     addr: locality=OUT A.B.C.2
     os: idSource=unknown relevance=relevant type=unknown
actions:
   deniedPacket: true
riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 95
threatRatingValue: 60
interface: ge2_0
protocol: icmp
globalCorrelation:
   globalCorrelationScore: -9.2
   globalCorrelationRiskDelta: 60
   globalCorrelationModifiedRiskRating: true
   globalCorrelationDenyPacket: true
   globalCorrelationDenyAttacker: false
   globalCorrelationOtherOverrides: false
   globalCorrelationAuditMode: false
Alternatively, you can see the stats using:
sensor# show statistics analysis-engine | be Malicious
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT
Regards,
Sawan Gupta

Anomaly Detection in IPS

Hi,
I am going to configure ad0 in IPS ver 7.0 using IME. If there is any guide to configure ad0 using IME then please share...

Configuring Anomaly Detection (AD) using IME 7.1

Startup guide for oracle data mining for anomaly detection

hi
well i have setup oralce 10g for data mining. ihae also downlaoded and nstalled demo prog.
now im wondering how to start to develop my own model.... basically my idea is to use anomaly detection tecnuique for network traffic.
i want ot scann network packets and mine them for anomaly. do i have to create profiles for that and if yes how?????
A BIG DILEMMA... ANY ONE CAN PLS GUIDE, ILL APPRECIATE
CHEERS
ninja

Ninja,
You may also want to take a look at this thread in the forum:
Re: Some Questions regarding Apriori algorithm and anomaly detection
It has some discussion that might help.
-Marcos

I downloaded ios5.1.1 to my phone, but i dont like the new software. The face detection used in the camera jut isnt for me. So, i would like to know if there was a way to undo the update and go back to ios 5.0.1. My iphone is not jailbroken or unlocked.

i downloaded ios5.1.1 to my phone, but i dont like the new software. The face detection used in the camera jut isnt for me. So, i would like to know if there was a way to undo the update and go back to ios 5.0.1. My iphone is not jailbroken or unlocked.

The face detection used in the camera jut isnt for me.
Try a different camera app. Camera Plus is a good one and there are many others.

Issue: Detected use of SPRequest for previously closed SPWeb object

I have a solution to create web site by a custom web template. I used ULS Viewer to monitor the sharepoint error log during the process. I see some unexpected error(Detected use of SPRequest for previously closed SPWeb object. Please close SPWeb
objects when you are done with all objects obtained from them, but not before.)
I believe that It will bring up a memory leak issue in anytime future. so I spend some time to find the root cause. It has no unexpected issue by creating web site with out of the box template(BLOG,WIKI, etc). I will get only get it with custom
template. Does anyone know the reason and soltuon for this issue? Thanks.

        protected void Button2_Click(object sender, EventArgs e)
            string Client = "Client";
            string creatorId = "UserId";
            string creatorname = "Robin Hung";
            string rreatorEmail = "[email protected]";
            SPSecurity.RunWithElevatedPrivileges(delegate()
using (
SPSite newSite =
new SPSite("http://localhost/sites/" + Client))
SPWebTemplateCollection WTC =
newSite.GetWebTemplates(1033);
SPWebTemplate webTemplate =
newSite.GetWebTemplates(1033)["SubSite"];
newSite.AllowUnsafeUpdates = true;
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity.
Verbose,
EventSeverity.
Verbose),
TraceSeverity.Verbose,
"Test 2", "Called");
using (SPWeb spWeb = newSite.OpenWeb())
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity
.Verbose,
EventSeverity
.Verbose),
TraceSeverity.
Verbose,
"Test 21",
"Called");
spWeb.AllowUnsafeUpdates = true;
spWeb.Webs.Add("Robin4", "Robin2", "test", 1033,
webTemplate, false, false);
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity
.Verbose,
EventSeverity
.Verbose),
TraceSeverity.
Verbose,
"Test 211",
"Called");
spWeb.Webs.Add("Robin5", "Robin2", "test", 1033,
WTC["SubSite"], false, false);
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity
.Verbose,
EventSeverity
.Verbose),
TraceSeverity.
Verbose,
"Test 212",
"Called");
spWeb.Webs.Add("Robin6", "Robin2", "test", 1033,
WTC[30], false, false);
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity
.Verbose,
EventSeverity
.Verbose),
TraceSeverity.
Verbose,
"Test 213",
"Called");
spWeb.AllowUnsafeUpdates = false;
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity
.Verbose,
EventSeverity
.Verbose),
TraceSeverity.
Verbose,
"Test 22",
"Called");
newSite.AllowUnsafeUpdates = false;
//currentSite.AllowUnsafeUpdates = false;
SPDiagnosticsService.Local.WriteTrace(0,
new SPDiagnosticsCategory
("Log",
TraceSeverity.
Verbose,
EventSeverity.
Verbose),
TraceSeverity.Verbose,
"Test 4", "Called");

How to test anomaly detection in IPS6 ?

Hi!
Does anybody have experience with AD in IPS6? I tried to test it today with 3 nmap sessions each scanning 100 different IPs. I saw the Sig 13003-0 (single scanner) fired:
signature: description=AD - External TCP Scanner id=13003 version=S262
alertDetails: . adExtraData: numDestIps=150; currentThreshold=150; destPort=80
The scanner threshold was indeed set to 150:
S1# sh ad-knowledge-base vs0 thresholds current
External Zone
TCP Services
Default
Scanner Threshold
User Configuration = 150
Threshold Histogram - User Configuration
Low = 10
Medium = 3
High = 1
UDP Services
This is ok. The problem is that the Sig 13003-1 (warm) didn't fire, however the number of scanned IPs was very high:
S1# sh statistics anomaly-detection vs0
Statistics for Virtual Sensor vs0
Attack in progress
Detection - ON
Learning - OFF
Next KB rotation at 10:00:00 MSK Fri Dec 28 2007
Internal Zone
TCP Protocol
UDP Protocol
Other Protocol
External Zone
TCP Protocol
Service 80
Source IP: 10.0.1.1 Num Dest IP: 280
Questions:
- what does Low/Medium/High exactly mean in threshold histogram?
- how does the sensor detect worms? When the Sig 13003-1 fires? What sequence of events should happen?
- how can I test it?

The sensor constantly watches for scanners on each port.
There are 3 categories of scanners:
Low scanners - scanners that are only scanning a low number of hosts.
Medium scanners - scanners that are scanning a medium number of hosts
High scanners - scanners that are scanning a high number of hosts
NOTE: I can't remember for sure how many hosts must be scanned for it to be a "Low" number of hosts, or "Medium" or "High". But it may be something like 5 hosts scanned is a "Low" scanner, 20 for Medium and 100 for High. Once again I am not sure of those numbers.
Also be aware that the number of hosts scanned is not the Total numner of hosts scanned, but is instead the number of hosts scanned THAT did not respond.
If you connect to 100 web servers and all web servers respond then it does not count that as a scan. If you try to connect to 100 web servers and 92 respond, then for the 8 that don't respond you would be categorized as a Low scanner.
But just because a scanner is counted in a category does not mean an alert will be generated.
There are 2 types of alerts (subsig 0 alerts, and subsig 1 alerts)
Subsig 0 alerts are for a scanner that is scanning enough hosts that you want an alert for it even when no worm has been declared.
This is the "scanner Threshold / User Configuration = 150" that you see in the "show ad-knowledge-base vs0 thresholds current" output.
If a scanner scans more than 150 hosts then a specific alert is generated even though no worm has been declared.
Any scanners scanning less than 150 hosts are still categorized but do not have alerts generated for them when no worm has been declared.
The subsig 1 alerts are for when a Worm has been declared.
Here is how a worm gets declared:
The Thesholds for Low, Medium, and High that you see in "show ad-knowledge-base vs0 thresholds current" is the number of active scanners in each category that are allowed to normally be seen on your network (this is the number of scanners that will be seen on your network even when there are no worms).
A worm gets declared when the number of scanners in any one of the 3 catgeories goes above the threshold for that category.
Let's take for example Medium=3 as the threshold for port 21. And let's assume it takes a scan of 20 hosts to be categorized as a Medium scanner.
This means normally you could have up to 3 scanners on your network where each scanner is scanning 20 or more non-responding hosts on port 21.
(Maybe these are 3 network administrators periodically checking to see which machines have port 21 open)
Suddenly you have 5 scanners that start scanning on port 21 and each of the 5 winds up with 20 or more non-responding hosts.
That 5 has broken the threshold of 3, and a worm is declared. Now any Medium Category scanner on port 21 will begin being declared a scanner under a worm condition (subsig 1).
So for your testing.
Instead of running a scan of 100 hosts from just one machine, I would recommend you scan the same 100 hosts from 2 or 3 machines (NOTE: Only need to scan a single port across those 100 hosts).
Scanning 100 hosts should get them categorized as High scanners. And having 3 High Scanners should push it over the threshold of 1.
BUT keep in mind that it needs to be 100 hosts not responding on the scanned port.
Then you will also want to try it with fewer hosts being scanned (like say 25), but with say 5 machines running nmap doing the scanning.

Detected use of SPRequest for previously closed SPWeb object. Please close SPWeb objects when you are done with all objects obtained from them

HI
i am keep seeing this message in ulsviewer of splogs in a webfront end server
Detected use of SPRequest for previously closed SPWeb object. Please close SPWeb objects when you are done with all objects obtained from them, but not before. Stack trace:
at Microsoft.SharePoint.SPWeb.get_Exists()
at Microsoft.SharePoint.WebControls.CssLink.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP._layouts_icc_icc_scan_view_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr managedHttpContext, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
adil

Hi,
Your SPweb object is not disposed properly.
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/3a25eb86-8415-4053-b319-9dd84a1fd71f/detected-use-of-sprequest-for-previously-closed-spweb-object-please-close-spweb-objects-when-you?forum=sharepointdevelopmentprevious
http://sharepoint.stackexchange.com/questions/50793/detected-use-of-sprequest-for-previously-closed-spweb-object-after-spquery
Please remember to click 'Mark as Answer' on the answer if it helps you

IPS anomaly detection knowledge base

Hello
i have configured my IPS device anomaly detection policy for learning accept mode for 48 hours.
and after finishing learning i see knowledge base file which is only 88 bytes in size. Is this normal ?

Depending on your network complexity, you may want to have anomaly detection in learning accept mode for longer than the default 24 hours Yes the knowledge base will replace with new knowledge base.
Regards
Rajeswar

Anomaly Detection Internal Zones

Hello,
I have specified my corporate full IP subnet in internal zone, but i have not configured any TCP or UDP port for any destination also i have kept the default thresholds,
Is it necessary to configure destination port for the TCP and UDP protocol.???????????????
Thanks

Hello,
Uptill now i m not facing any issues with IPS but i want IPS to monitor all the ports for the Internal zone so this is the reason i m asking that while configuring the Internal zone we have to mentioned specific port of tcp and udp for anomaly detection.
If i m not specifying any port than what does it monitor?? is it this incomplete configuration OR it monitors all the ports (1-65535)
Thanks

Using ODM to setup provisioning

All,
Is oidprovtool the only way to setup provisioning ?
Can we use ODM to do the same ? I was trying to set
up provisioning between Portal and OID, and the only
way (per Metalink) was using the oidprovtool commandline interface. ODM has Integration as one of the admin options, but I was not able to specify some of the options required to setup OID <-> Portal provisioning.
Thanks

All,
Is oidprovtool the only way to setup provisioning ?
Can we use ODM to do the same ? I was trying to set
up provisioning between Portal and OID, and the only
way (per Metalink) was using the oidprovtool commandline interface. ODM has Integration as one of the admin options, but I was not able to specify some of the options required to setup OID <-> Portal provisioning.
Thanks

Anomaly Detection

Guys,
I need to create my KB because the current is very very old ( 09:59:59 GMT-06:00 Tue Sep 22 2009 ) When I try to save it manually with the command
anomaly-detection vs0 save MYKB I get an error that says: Attack in progress
I need to create a new KB and load it because the Rotate methot is not working since the last KB is very old. I thisk it's not working because there is an attack ALWAYS.
Can I save a load a KB file manually even if there is an attack in progress?
If not, How can I fix my problem
Thanks,
DiegoCR CCSP

Hi Diego
You can fix this by:
Turn the anomaly detection off (operational-mode inactive)
Erase/copy/load the files you need and start the anomaly detection or preferably put the sensor in learning accept mode (operational-mode learn) and wait for 24 hours.
Br
Johan Kellerman

Anomaly detection using ODM

Similar Messages

Maybe you are looking for